Back up SAP HANA databases in Azure VMs

SAP HANA databases are critical workloads that require a low recovery-point objective (RPO) and long-term retention. You can back up SAP HANA databases running on Azure virtual machines (VMs) by using Azure Backup.

This article shows how to back up SAP HANA databases that are running on Azure VMs to an Azure Backup Recovery Services vault.

In this article, you'll learn how to:

  • Create and configure a vault
  • Discover databases
  • Configure backups
  • Run an on-demand backup job


See the SAP HANA backup support matrix to know more about the supported configurations and scenarios.


Refer to the prerequisites and the What the pre-registration script does sections to set up the database for backup.

Establish network connectivity

For all operations, an SAP HANA database running on an Azure VM requires connectivity to the Azure Backup service, Azure Storage, and Azure Active Directory. This can be achieved by using private endpoints or by allowing access to the required public IP addresses or FQDNs. Not allowing proper connectivity to the required Azure services may lead to failure in operations like database discovery, configuring backup, performing backups, and restoring data.

The following table lists the various alternatives you can use for establishing connectivity:

Option Advantages Disadvantages
Private endpoints Allow backups over private IPs inside the virtual network

Provide granular control on the network and vault side
Incurs standard private endpoint costs
NSG service tags Easier to manage as range changes are automatically merged

No additional costs
Can be used with NSGs only

Provides access to the entire service
Azure Firewall FQDN tags Easier to manage since the required FQDNs are automatically managed Can be used with Azure Firewall only
Allow access to service FQDNs/IPs No additional costs.

Works with all network security appliances and firewalls.

You can also use service endpoints for Storage and Azure Active Directory. However, for Azure Backup, you need to assign the access to the corresponding IPs/FQDNs.
A broad set of IPs or FQDNs may be required to be accessed.
Virtual Network Service Endpoint Can be used for Azure Storage (= Recovery Services vault).

Provides large benefit to optimize performance of data plane traffic.
Can’t be used for Azure AD, Azure Backup service.
Network Virtual Appliance Can be used for Azure Storage, Azure AD, Azure Backup service.

Data plane
  • Azure Storage: *, *, *

Management plane
Learn more about Azure Firewall service tags.
Adds overhead to data plane traffic and decrease throughput/performance.

More details around using these options are shared below:

Private endpoints

Private endpoints allow you to connect securely from servers inside a virtual network to your Recovery Services vault. The private endpoint uses an IP from the VNET address space for your vault. The network traffic between your resources inside the virtual network and the vault travels over your virtual network and a private link on the Microsoft backbone network. This eliminates exposure from the public internet. Read more on private endpoints for Azure Backup here.


Private endpoints are supported for Azure Backup and Azure storage. Azure AD has support private end-points in private preview. Until they are generally available, Azure backup supports setting up proxy for AAD so that no outbound connectivity is required for HANA VMs. Refer to the proxy support section for more details.

NSG tags

If you use Network Security Groups (NSG), use the AzureBackup service tag to allow outbound access to Azure Backup. In addition to the Azure Backup tag, you also need to allow connectivity for authentication and data transfer by creating similar NSG rules for Azure AD (AzureActiveDirectory) and Azure Storage(Storage). The following steps describe the process to create a rule for the Azure Backup tag:

  1. In All Services, go to Network security groups and select the network security group.

  2. Select Outbound security rules under Settings.

  3. Select Add. Enter all the required details for creating a new rule as described in security rule settings. Ensure the option Destination is set to Service Tag and Destination service tag is set to AzureBackup.

  4. Select Add to save the newly created outbound security rule.

You can similarly create NSG outbound security rules for Azure Storage and Azure AD. For more information on service tags, see this article.

Azure Firewall tags

If you're using Azure Firewall, create an application rule by using the AzureBackup Azure Firewall FQDN tag. This allows all outbound access to Azure Backup.

Allow access to service IP ranges

If you choose to allow access service IPs, refer to the IP ranges in the JSON file available here. You'll need to allow access to IPs corresponding to Azure Backup, Azure Storage, and Azure Active Directory.

Allow access to service FQDNs

You can also use the following FQDNs to allow access to the required services from your servers:

Service Domain names to be accessed Ports
Azure Backup * 443
Azure Storage *


Azure AD Allow access to FQDNs under sections 56 and 59 according to this article As applicable

Use an HTTP proxy server to route traffic


Currently, we only support HTTP Proxy for Azure Active Directory (Azure AD) traffic for SAP HANA. If you need to remove outbound connectivity requirements (for Azure Backup and Azure Storage traffic) for database backups via Azure Backup in HANA VMs, use other options, such as private endpoints.

Using an HTTP proxy server for AAD traffic
  1. Go to the "opt/msawb/bin" folder

  2. Create a new JSON file named "ExtensionSettingsOverrides.json"

  3. Add a key-value pairs to the JSON file as follows:

  4. Change the permissions and ownership of the file as follows:

    chmod 750 ExtensionSettingsOverrides.json
    chown root:msawb ExtensionSettingsOverrides.json
  5. No restart of any service is required. The Azure Backup service will attempt to route the AAD traffic via the proxy server mentioned in the JSON file.

Create a Recovery Services vault

A Recovery Services vault is a management entity that stores recovery points created over time and provides an interface to perform backup-related operations. These operations include taking on-demand backups, performing restores, and creating backup policies.

To create a Recovery Services vault:

  1. Sign in to your subscription in the Azure portal.

  2. Search for Backup center in the Azure portal, and go to the Backup Center dashboard.

    Screenshot that shows searching for and selecting Backup Center.

  3. Select +Vault from the Overview tab.

    Screenshot of the button for creating a vault.

  4. Select Recovery Services vault > Continue.

    Screenshot that shows choosing Recovery Services as the vault type.

  5. The Recovery Services vault dialog opens. Provide the following values:

    • Subscription: Choose the subscription to use. If you're a member of only one subscription, you'll see that name. If you're not sure which subscription to use, use the default (suggested) subscription. There are multiple choices only if your work or school account is associated with more than one Azure subscription.

    • Resource group: Use an existing resource group or create a new one. To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the dropdown list. To create a new resource group, select Create new and enter the name. For more information about resource groups, see Azure Resource Manager overview.

    • Vault name: Enter a friendly name to identify the vault. The name must be unique to the Azure subscription. Specify a name that has at least 2 but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens.

    • Region: Select the geographic region for the vault. For you to create a vault to help protect any data source, the vault must be in the same region as the data source.


      If you're not sure of the location of your data source, close the dialog. Go to the list of your resources in the portal. If you have data sources in multiple regions, create a Recovery Services vault for each region. Create the vault in the first location before you create the vault for another location. There's no need to specify storage accounts to store the backup data. The Recovery Services vault and Azure Backup handle that automatically.

    Screenshot that shows boxes for configuring a Recovery Services vault.

  6. After you provide the values, select Review + create.

    Screenshot that shows the Review + create button in the process for creating a Recovery Services vault.

  7. When you're ready to create the Recovery Services vault, select Create.

    Screenshot that shows the final Create button for creating the Recovery Services vault.

  8. It can take a while to create the Recovery Services vault. Monitor the status notifications in the Notifications area at the upper-right corner of the portal. After your vault is created, it's visible in the list of Recovery Services vaults. If you don't see your vault, select Refresh.

    Screenshot that shows the button for refreshing the list of backup vaults.

Enable Cross Region Restore

At the Recovery Services vault, you can enable Cross Region Restore. You must turn on Cross Region Restore before you configure and protect backups on your HANA databases. Learn about how to turn on Cross Region Restore.

Learn more about Cross Region Restore.

Discover the databases

  1. In the Azure portal, go to Backup center and click +Backup.

    Screenshot showing to start checking for SAP HANA databases.

  2. Select SAP HANA in Azure VM as the datasource type, select a Recovery Services vault to use for backup, and then click Continue.

    Screenshot showing to select an SAP HANA database in Azure VM.

  3. Select Start Discovery. This initiates discovery of unprotected Linux VMs in the vault region.

    • After discovery, unprotected VMs appear in the portal, listed by name and resource group.
    • If a VM isn't listed as expected, check whether it's already backed up in a vault.
    • Multiple VMs can have the same name but they belong to different resource groups.

    Screenshot showing to select Start Discovery.

  4. In Select Virtual Machines, select the link to download the script that provides permissions for the Azure Backup service to access the SAP HANA VMs for database discovery.

  5. Run the script on each VM hosting SAP HANA databases that you want to back up.

  6. After running the script on the VMs, in Select Virtual Machines, select the VMs. Then select Discover DBs.

  7. Azure Backup discovers all SAP HANA databases on the VM. During discovery, Azure Backup registers the VM with the vault, and installs an extension on the VM. No agent is installed on the database.

    Screenshot showing the discovered SAP HANA databases.

Configure backup

Now enable backup.

  1. In Step 2, select Configure Backup.

    Screenshot showing to configure Backup.

  2. In Select items to back up, select all the databases you want to protect > OK.

    Screenshot showing to select databases to back up.

  3. In Backup Policy > Choose backup policy, create a new backup policy for the databases, in accordance with the instructions below.

    Screenshot showing to choose backup policy.

  4. After creating the policy, on the Backup menu, select Enable backup.

    Enable backup

  5. Track the backup configuration progress in the Notifications area of the portal.

Create a backup policy

A backup policy defines when backups are taken, and how long they're retained.

  • A policy is created at the vault level.
  • Multiple vaults can use the same backup policy, but you must apply the backup policy to each vault.


Azure Backup doesn’t automatically adjust for daylight saving time changes when backing up an SAP HANA database running in an Azure VM.

Modify the policy manually as needed.

Specify the policy settings as follows:

  1. In Policy name, enter a name for the new policy.

    Enter policy name

  2. In Full Backup policy, select a Backup Frequency, choose Daily or Weekly.

    • Daily: Select the hour and time zone in which the backup job begins.
      • You must run a full backup. You can't turn off this option.
      • Select Full Backup to view the policy.
      • You can't create differential backups for daily full backups.
    • Weekly: Select the day of the week, hour, and time zone in which the backup job runs.

    Select backup frequency

  3. In Retention Range, configure retention settings for the full backup.

    • By default all options are selected. Clear any retention range limits you don't want to use, and set those that you do.
    • The minimum retention period for any type of backup (full/differential/log) is seven days.
    • Recovery points are tagged for retention based on their retention range. For example, if you select a daily full backup, only one full backup is triggered each day.
    • The backup for a specific day is tagged and retained based on the weekly retention range and setting.
    • The monthly and yearly retention ranges behave in a similar way.
  4. In the Full Backup policy menu, select OK to accept the settings.

  5. Select Differential Backup to add a differential policy.

  6. In Differential Backup policy, select Enable to open the frequency and retention controls.

    • At most, you can trigger one differential backup per day.
    • Differential backups can be retained for a maximum of 180 days. If you need longer retention, you must use full backups.

    Differential backup policy


    You can choose either a differential or an incremental as a daily backup but not both.

  7. In Incremental Backup policy, select Enable to open the frequency and retention controls.

    • At most, you can trigger one incremental backup per day.
    • Incremental backups can be retained for a maximum of 180 days. If you need longer retention, you must use full backups.

    Incremental backup policy

  8. Select OK to save the policy and return to the main Backup policy menu.

  9. Select Log Backup to add a transactional log backup policy,

    • In Log Backup, select Enable. This can't be disabled, since SAP HANA manages all log backups.
    • Set the frequency and retention controls.


    Log backups only begin to flow after a successful full backup is completed.

  10. Select OK to save the policy and return to the main Backup policy menu.

  11. After you finish defining the backup policy, select OK.


Each log backup is chained to the previous full backup to form a recovery chain. This full backup will be retained until the retention of the last log backup has expired. This might mean that the full backup is retained for an extra period to make sure all the logs can be recovered. Let's assume a user has a weekly full backup, daily differential and 2 hour logs. All of them are retained for 30 days. But, the weekly full can be really cleaned up/deleted only after the next full backup is available, that is, after 30 + 7 days. For example, a weekly full backup happens on Nov 16th. According to the retention policy, it should be retained until Dec 16th. The last log backup for this full happens before the next scheduled full, on Nov 22nd. Until this log is available until Dec 22nd, the Nov 16th full can't be deleted. So, the Nov 16th full is retained until Dec 22nd.

Run an on-demand backup

Backups run in accordance with the policy schedule. You can run a backup on-demand as follows:

  1. In the vault menu, select Backup items.

  2. In Backup Items, select the VM running the SAP HANA database, and then select Backup now.

  3. In Backup Now, choose the type of backup you want to perform. Then select OK.

    The retention period of this backup is determined by the type of on-demand backup you have run.

    • On-demand full backups are retained for a minimum of 45 days and a maximum of 99 years.
    • On-demand differential backups are retained as per the log retention set in the policy.
    • On-demand incremental backups aren't currently supported.
  4. Monitor the portal notifications. You can monitor the job progress in the vault dashboard > Backup Jobs > In progress. Depending on the size of your database, creating the initial backup may take a while.

Run SAP HANA Studio backup on a database with Azure Backup enabled

If you want to take a local backup (using HANA Studio) of a database that's being backed up with Azure Backup, do the following:

  1. Wait for any full or log backups for the database to finish. Check the status in SAP HANA Studio / Cockpit.
  2. Disable log backups, and set the backup catalog to the file system for relevant database.
  3. To do this, double-click systemdb > Configuration > Select Database > Filter (Log).
  4. Set enable_auto_log_backup to No.
  5. Set log_backup_using_backint to False.
  6. Set catalog_backup_using_backint to False.
  7. Take an on-demand full backup of the database.
  8. Wait for the full backup and catalog backup to finish.
  9. Revert the previous settings back to those for Azure:
    • Set enable_auto_log_backup to Yes.
    • Set log_backup_using_backint to True.
    • Set catalog_backup_using_backint to True.

Next steps